Many Internet protocols and applications are designed to serve large public user groups. Because of this, Internet Servers were designed to serve their community in a stateless manner. One request to the server has no relationship to the previous or next request. All requests are independent, rather than considered as part of a user "session" to that server. This approach simplified server activity to service many requests from many users, without having to establish and track sessions for each user. However, the approach introduces a new problem to solve; user privacy and security.
In a network environment, security issues such as communication channel integrity and privacy, user authentication, and user authorization exist. Communication between two end points in a network has to be guarded against outside intervention (i.e., High Voltage noise, Lightning or Human). Security affording protection against this kind of intervention is commonly referred to as communication channel integrity and privacy.
Channel integrity and privacy precautions against "natural" events and are typically handled by communication protocols. Algorithms have been developed over the years to perfect and solve these "natural" events and have been proven effective through many years of usage. However, when introducing a channel integrity and privacy problem, such as Human intervention, the reliability of these algorithms deteriorates. Protocol level controls typically do not encrypt data, enabling human intervenors to change Cyclic Residency Control (CRC) information and any information on an open transmission channel. Hence, any user sensitive data (for example, credit card numbers or other private user information) traveling on the Internet can be obtained by any human intervenor.
In an effort to resolve this problem, Web Technology providers architected Secure Socket Layer (SSL). SSL is the product residing between Web applications and the Communication Protocol Layer. SSL provides data encryption, server authentication and message integrity for TCP/IP connections. This effectively handles protecting the privacy and integrity of data traveling over the Internet.
User authentication is defined as "determining the true identity of a user or an object attempting to access a system." Any non-public system has to have an authentication system in order to filter and identify users from one another. However, Web servers do not typically keep track of the user identity throughout the duration of that users visit to the site. For complete security, the user identity must be provided with each request made of the Web server. This may be accomplished by having the user "log on" for each new request, or by conducting a behind the scenes "re-authentication" of the user for each request. These techniques are, however, inconvenient for the user and/or time consuming for the application.
User authorization involves determining what types of activities are permitted for an authenticated user or object. Authorization is generally grouped into two categories: (1) Data Set Authorization (typically controlled by the application), and (2) Function Set Authorization (typically controlled by the operating system).
Based on the foregoing, we have determined that web user "authentication" must first be accomplished before optionally following with user "authorization". Hence, efficiency may be increased if "authentication" for each "authorization" request is eliminated.